0

I am building a website which requires authentication of user. I'm using React for that. How do I make secure login system? Everything I have is in localStorage. I'm afraid that with this solution, anyone can make own localStorage in their browser and use it to login and authenticate them as real users. Below is my login function: 

login(){  
if (typeof(Storage) !== "undefined") {
  localStorage.setItem("userId",this.state.user._id);
  localStorage.setItem("username", this.state.user.username);
  localStorage.setItem("email", this.state.user.email);
  localStorage.setItem("date", this.state.user.date); 
  this.setState({isLoggedIn: true}); 
  localStorage.setItem("isLoggedIn", this.state.isLoggedIn);
  if(localStorage.getItem("isLoggedIn")){
    console.log("Congratulations "+localStorage.getItem("username")+", you are now logged in."); 
    setTimeout(function () { 
      window.location.pathname="/user";
    }.bind(this),500);
  }
} 
else {
  console.log("No support for local storage");
}}

What should I change to make it more secure? Or should I move to another solution, without using Local Storage at all?

quirimmo
  • 9,800
  • 3
  • 30
  • 45
Ivan
  • 89
  • 1
  • 11
  • 2
    Possible duplicate of [Can local storage ever be considered secure?](https://stackoverflow.com/questions/17280390/can-local-storage-ever-be-considered-secure) – Mikey May 28 '17 at 17:39
  • have a look at Sessions or Tokens – Jonas Wilms May 28 '17 at 17:48
  • Your server should generate a JSON Web Token (or some other type of "signed token") and send it to the client when a user logs in. Store the token in local storage. Then on every request to the server, the client should include the token. The server will validate the token, so it will detect when the user modifies or creates their own token (those will fail validation). This is pretty much the same strategy that is used w/cookies. – Sunil D. May 28 '17 at 17:52

0 Answers0